News Room

News from Wintercorn about Joomla!, WordPress and other tech subjects

20 March 2017

How Hackers Can Break Into Your Online Accounts Without Passwords

In the wee hours of Wednesday morning, a host of prominent Twitter accounts were compromised and, as a result, began spouting swastika-laden propaganda in support of Turkey's president Recep Erdoğan ahead of a referendum next month which could consolidate his power. So now's a good time to check your own accounts and make sure you close the backdoor that let this happen to other people.

So how did it happen?

If you've ever logged into an app or service by using your Google/Facebook/Twitter account in lieu of creating a new username and password, you've opened up the app permissions hole. This feature is fine and good—it lets you worry about fewer passwords and sometimes is necessary for apps that work directly with your other account. But it's also a security liability.

The amount of access these sorts of apps have is always limited. They generally don't have the ability to change your password or the like; your Twitter/Facebook/Google account reserves that for itself. These apps also never get your real password. Your main account simply authorizes them using a generated "token." But sometimes this level of access is enough to post to your account,and ultimately your followers. The recent attacks seems to be have been through the original app getting hacked itself.

How can you prevent this?

Revoke as many permissions as you can and do it every few months. Every account has a way to look through what apps have what sort of access to your account.